Last active
May 9, 2018 04:56
-
-
Save GoodOlClint/95828496ecbf98aa8afa64421a2ee93b to your computer and use it in GitHub Desktop.
Configuration script for a new Raspberry Pi
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
username=goodolclint | |
publickey=ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAnMfLbajwTboPlqFJyajrl9h+V++Nua0BibBiYkNckYbzQrl512pzYsqjp+Iti09FaJMo7ezbDjTa9PNv/H9oodiat8DZah+1EoRF4uoEATeWouU9ruhGHGLEe3CA9+48nqnfMRnWHrXymlpNEZCY6CuN+fQWZd7dFJ3fystOZ26R2t3ijWBitzsVntCPSYTLgbtqozbZk6efJwzwua+i8E9GbHOQ39jM1F6byoO9CFqaw6OwkSzvo03BNTLYofsw/cwb9MovjvDJz4x2/0DA0pz5zREhTbnhXpxxJAOfO8/IHiiLCF2zChBXUIamcpdCcnlo+WZYHBrUSIx1Fnr00Q== rsa-key-20161130 | |
### DO NOT EDIT BELOW THIS LINE ### | |
if (( $EUID != 0 )); then | |
echo 'This script must be run as root' | |
exit | |
fi | |
echo 'Creating user "$username"' | |
useradd --create-home $username | |
echo 'Allowing user "$username" to SSH without a password' | |
pushd /home/$username>/dev/null | |
mkdir .ssh | |
chmod 0700 .ssh | |
chown $username:$username .ssh | |
echo 'Downloading public key for "$username"' | |
echo $publickey >.ssh/authorized_keys | |
chmod 0600 .ssh/authorized_keys | |
chown $username:$username .ssh/authorized_keys | |
popd >/dev/null | |
echo 'Allowing using "$username" to sudo without a password' | |
echo '# allows user $username'> /tmp/099-$username | |
echo '# to sudo without a password' >> /tmp/099-$username | |
echo '$username ALL=(ALL:ALL) NOPASSWD: ALL' >> /tmp/099-$username | |
cp /tmp/099-$username /etc/sudoers.d | |
echo 'Setting default shell to bash' | |
chsh -s /bin/bash $username | |
echo 'Upgrading to latest Rasbian distro' | |
apt-get update | |
apt-get dist-upgrade -y | |
apt-get autoremove -y | |
echo 'Setting Cron job to automatically install security updates nightly' | |
crontab -l > /tmp/mycron | |
echo '0 01 * * * apt-get update' >> /tmp/mycron | |
crontab /tmp/mycron | |
echo 'Disable password authentication in ssh' | |
cp /etc/ssh/sshd_config /tmp | |
#Comment out default settings | |
sed -i '/PubkeyAuthentication/s/^/#/g' /tmp/sshd_config | |
sed -i '/ChallengeResponseAuthentication/s/^/#/g' /tmp/sshd_config | |
sed -i '/PasswordAuthentication/s/^/#/g' /tmp/sshd_config | |
sed -i '/UsePAM/s/^/#/g' /tmp/sshd_config | |
#Add new settings to end of file | |
echo ''>>/tmp/sshd_config | |
echo '#Disable password authentication'>>/tmp/sshd_config | |
echo 'ChallengeResponseAuthentication no'>> /tmp/sshd_config | |
echo 'PasswordAuthentication no'>> /tmp/sshd_config | |
echo ''>>/tmp/sshd_config | |
echo '#Allow public key'>>/tmp/sshd_config | |
echo 'UsePAM yes'>> /tmp/sshd_config | |
echo 'PubkeyAuthentication yes'>> /tmp/sshd_config | |
cp /tmp/sshd_config /etc/ssh/ | |
#echo TODO: Finish iptables | |
echo 'Creating IPTable Rules' | |
iptables --flush | |
iptables -P INPUT DROP | |
iptables -P FORWARD DROP | |
iptables -P OUTPUT DROP | |
echo 'Allow all incoming SSH connections' | |
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
echo 'Allow incoming ICMP echo (ping)' | |
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT | |
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT | |
echo 'Allow loopback (127.0.0.1)' | |
iptables -A INPUT -i lo -j ACCEPT | |
iptables -A OUTPUT -o lo -j ACCEPT | |
echo 'Allow all outbound traffic' | |
iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT | |
iptables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
echo 'Creating IPTable v6 Rules' | |
ip6tables --flush | |
ip6tables -P INPUT DROP | |
ip6tables -P FORWARD DROP | |
ip6tables -P OUTPUT DROP | |
echo 'Allow all incoming SSH connections' | |
ip6tables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
ip6tables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
echo 'Allow incoming ICMP echo (ping)' | |
ip6tables -A INPUT -p icmpv6 --icmpv6-type echo-request -j ACCEPT | |
ip6tables -A OUTPUT -p icmpv6 --icmpv6-type echo-reply -j ACCEPT | |
echo 'Allow loopback (::1)' | |
ip6tables -A INPUT -i lo -j ACCEPT | |
ip6tables -A OUTPUT -o lo -j ACCEPT | |
echo 'Allow all outbound traffic' | |
ip6tables -I OUTPUT -o eth0 -d ::/0 -j ACCEPT | |
ip6tables -I INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT | |
apt-get -qq -y install iptables-persistent | |
echo 'Disabling Wifi and Bluetooth' | |
echo '#WiFi' > /tmp/modprob.conf | |
echo 'blacklist brcmfmac' >> /tmp/modprob.conf | |
echo 'blacklist brcmutil' >> /tmp/modprob.conf | |
echo '#Bluetooth' >> /tmp/modprob.conf | |
echo 'blacklist btbcm' >> /tmp/modprob.conf | |
echo 'blacklist hci_uart' >> /tmp/modprob.conf | |
cp /tmp/modprob.conf /etc/modprobe.d/blacklist.conf | |
echo 'Set timezone to CST' | |
echo "America/Chicago" > /etc/timezone | |
dpkg-reconfigure -f noninteractive tzdata | |
#echo 'Setting locale to en_us' | |
#sed -i '/en_GB.UTF-8 UTF-8/s/^/# /g' /etc/locale.gen | |
#/usr/sbin/locale-gen | |
#DEBIAN_FRONTEND=noninteractive dpkg-reconfigure locales | |
#dpkg-reconfigure keyboard-configuration | |
echo 'Expanding storage' | |
raspi-config --expand-rootfs | |
echo 'Randomizing password for user "pi"' | |
pipw=$(cat /dev/urandom | tr -dc 'A-Za-z0-9!"#$%&'\''()*+,-./:;<=>?@[\]^_`{|}~' | head -c 32) | |
echo pi:$pipw | chpasswd | |
echo 'Disabling user "pi"' | |
usermod -s /bin/nologin pi | |
echo 'Rebooting' | |
reboot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment